Takeaway apps Deliveroo and Just Eat have said they are working to combat fraud, after customers reported their accounts had been used to buy food they did not order.
One customer told the BBC Deliveroo took five days to shut his account after he reported fraudulent activity.
Both companies said their own systems had not been breached and passwords had been obtained from another source.
Deliveroo said it had introduced new measures this year to protect users.
Just Eat said it took the safeguarding of customer data “extremely seriously” and was liaising with customers who had reported fraudulent activity.
Several Deliveroo customers told the BBC they realised their accounts had been accessed when they received an email from the company saying the email address linked to their account had been changed.
Fraudsters then ordered food through their account using credit obtained by claiming refunds for previous orders.
Deliveroo said cyber criminals relied on people reusing passwords for multiple online services and used data breaches on other sites to try to access Deliveroo accounts.
Andrew Shaw, 33, from London, said he had to wait five days after he reported fraudulent activity on his account before Deliveroo shut it down.
By this point Mr Shaw had already cancelled his card and three orders had been placed, using £11 credit he already had on his account and £27 credit obtained from a refund.
A Deliveroo spokesman said: “There are rare occasions we don’t meet the high standards our customers expect and we are working hard to correct and address the issues raised.”
The company said it takes security “extremely seriously” and is continually rolling out measures to combat fraud, including introducing extra security checks when it detects changes to account details.
Another customer, Ian Cutress, 33, from London, said an order was placed on his account to an estate less than three miles away, with instructions to “ring when close for detailed delivery instructions”.
After contacting Deliveroo, the company deactivated the account.
Mr Cutress said he was relieved his card details were not attached to his account, so the fraudster was only able to place an order using refund credit and he was not left out of pocket.
Just Eat also confirmed it had received reports of “isolated” fraudulent activity, which it said appeared to be the result of “malicious third parties using usernames and passwords from an unknown source”, which was not Just Eat.
On Thursday, one customer wrote on Twitter that they had cancelled their bank card after it was fraudulently used to purchase food through Just Eat.
The customer claimed they had been told by the company’s customer services they had received “numerous calls” about similar issues that day.
Just Eat said it had multiple security measures in place, which are continually reviewed to ensure they are robust.
It is not the first time takeaway apps have been targeted by fraudsters. In 2016 the BBC found Deliveroo customers had been charged hundreds of pounds after their accounts were used fraudulently.
To avoid being hacked, Action Fraud advises using strong, unique passwords for online accounts and, where available, enable two-factor authentication, which means the account can only be accessed with a device you have already registered.